HHH-15033 Restrict JNDI lookups to "java" scheme

hibernate-core/src/main/java/org/hibernate/engine/jndi/JndiException.java

@@ -22,4 +22,14 @@ public class JndiException extends HibernateException {
 	public JndiException(String message, Throwable cause) {
 		super( message, cause );
 	}
+
+	/**
+	 * Constructs a JndiException
+	 *
+	 * @param message Message explaining the exception condition
+	 */
+	public JndiException(String message) {
+		super( message );
+	}
+
 }

hibernate-core/src/main/java/org/hibernate/engine/jndi/internal/JndiServiceImpl.java

@@ -6,6 +6,8 @@
  */
 package org.hibernate.engine.jndi.internal;
 
+import java.net.URI;
+import java.net.URISyntaxException;
 import java.util.Hashtable;
 import java.util.Map;
 import java.util.Properties;
@@ -114,6 +116,16 @@ public class JndiServiceImpl implements JndiService {
 	}
 
 	private Name parseName(String jndiName, Context context) {
+		try {
+			final URI uri = new URI( jndiName );
+			final String scheme = uri.getScheme();
+			if ( scheme != null && (! "java".equals( scheme ) ) ) {
+				throw new JndiException( "JNDI lookups for scheme '" + scheme + "' are not allowed" );
+			}
+		}
+		catch (URISyntaxException e) {
+			//Ok
+		}
 		try {
 			return context.getNameParser( "" ).parse( jndiName );
 		}